From 7f8f8f53fbe2c8205b16456e01725b9eea76948e Mon Sep 17 00:00:00 2001
From: Levi van Noort <73097785+levivannoort@users.noreply.github.com>
Date: Fri, 26 Jun 2026 07:26:08 +0200
Subject: [PATCH 1/4] ci: point deployment pipelines at default.yaml

Switch both staging and production deployment workflows to update
default.yaml instead of fra1.yaml in the declarative assets repo.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/production.yml | 4 ++--
 .github/workflows/staging.yml    | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/production.yml b/.github/workflows/production.yml
index 66655aa..fca6485 100644
--- a/.github/workflows/production.yml
+++ b/.github/workflows/production.yml
@@ -73,13 +73,13 @@ jobs:
           token: ${{ steps.app-token.outputs.token }}
 
       - name: Update image tag
-        run: yq -i '.["mcp"].image.tag = strenv(TAG)' ${{ env.ENVIRONMENT }}/${{ env.PROJECT }}/fra1.yaml
+        run: yq -i '.["mcp"].image.tag = strenv(TAG)' ${{ env.ENVIRONMENT }}/${{ env.PROJECT }}/default.yaml
 
       - name: Commit and push
         run: |
           git config user.name "github-actions[bot]"
           git config user.email "github-actions[bot]@users.noreply.github.com"
-          git add ${{ env.ENVIRONMENT }}/${{ env.PROJECT }}/fra1.yaml
+          git add ${{ env.ENVIRONMENT }}/${{ env.PROJECT }}/default.yaml
           if git diff --cached --quiet; then
             echo "No changes to commit"
           else
diff --git a/.github/workflows/staging.yml b/.github/workflows/staging.yml
index 7c92021..2f0c6b1 100644
--- a/.github/workflows/staging.yml
+++ b/.github/workflows/staging.yml
@@ -74,13 +74,13 @@ jobs:
           token: ${{ steps.app-token.outputs.token }}
 
       - name: Update image tag
-        run: yq -i '.["mcp"].image.tag = strenv(TAG)' ${{ env.ENVIRONMENT }}/${{ env.PROJECT }}/fra1.yaml
+        run: yq -i '.["mcp"].image.tag = strenv(TAG)' ${{ env.ENVIRONMENT }}/${{ env.PROJECT }}/default.yaml
 
       - name: Commit and push
         run: |
           git config user.name "github-actions[bot]"
           git config user.email "github-actions[bot]@users.noreply.github.com"
-          git add ${{ env.ENVIRONMENT }}/${{ env.PROJECT }}/fra1.yaml
+          git add ${{ env.ENVIRONMENT }}/${{ env.PROJECT }}/default.yaml
           if git diff --cached --quiet; then
             echo "No changes to commit"
           else

From 36940ff8b0de3f911a41ebb93f142fe967784aba Mon Sep 17 00:00:00 2001
From: Levi van Noort <73097785+levivannoort@users.noreply.github.com>
Date: Fri, 26 Jun 2026 07:27:00 +0200
Subject: [PATCH 2/4] ci: use release tag for production image tag

Drop the github.sha fallback so production always deploys the release tag.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/production.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/production.yml b/.github/workflows/production.yml
index fca6485..11c02c6 100644
--- a/.github/workflows/production.yml
+++ b/.github/workflows/production.yml
@@ -21,7 +21,7 @@ env:
   REGISTRY_GITHUB: ghcr.io
   REGISTRY_DOCKERHUB: docker.io
   IMAGE_NAME: appwrite/mcp
-  TAG: ${{ github.event.release.tag_name || github.sha }}
+  TAG: ${{ github.event.release.tag_name }}
 
 jobs:
   build:

From a58117b876956b1b637a43e51f7d3b03c793b86f Mon Sep 17 00:00:00 2001
From: Levi van Noort <73097785+levivannoort@users.noreply.github.com>
Date: Fri, 26 Jun 2026 07:32:50 +0200
Subject: [PATCH 3/4] ci: make GitOps push resilient to concurrent deploys

The assets-applications repo is shared across apps, so a concurrent
push can land between checkout and push, rejecting ours with a
non-fast-forward error and silently skipping the manifest update.
Retry the push up to 5 times, rebasing onto the remote each time.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/production.yml | 15 ++++++++++++---
 .github/workflows/staging.yml    | 15 ++++++++++++---
 2 files changed, 24 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/production.yml b/.github/workflows/production.yml
index 11c02c6..eb7521c 100644
--- a/.github/workflows/production.yml
+++ b/.github/workflows/production.yml
@@ -82,7 +82,16 @@ jobs:
           git add ${{ env.ENVIRONMENT }}/${{ env.PROJECT }}/default.yaml
           if git diff --cached --quiet; then
             echo "No changes to commit"
-          else
-            git commit -m "chore(${{ env.ENVIRONMENT }}): ${{ env.PROJECT }} image tag to ${{ env.TAG }}"
-            git push
+            exit 0
           fi
+          git commit -m "chore(${{ env.ENVIRONMENT }}): ${{ env.PROJECT }} image tag to ${{ env.TAG }}"
+          for attempt in 1 2 3 4 5; do
+            if git push; then
+              echo "Pushed on attempt $attempt"
+              exit 0
+            fi
+            echo "Push rejected (attempt $attempt), rebasing onto remote and retrying..."
+            git pull --rebase
+          done
+          echo "Failed to push after 5 attempts"
+          exit 1
diff --git a/.github/workflows/staging.yml b/.github/workflows/staging.yml
index 2f0c6b1..05442bb 100644
--- a/.github/workflows/staging.yml
+++ b/.github/workflows/staging.yml
@@ -83,7 +83,16 @@ jobs:
           git add ${{ env.ENVIRONMENT }}/${{ env.PROJECT }}/default.yaml
           if git diff --cached --quiet; then
             echo "No changes to commit"
-          else
-            git commit -m "chore(${{ env.ENVIRONMENT }}): ${{ env.PROJECT }} image tag to ${{ env.TAG }}"
-            git push
+            exit 0
           fi
+          git commit -m "chore(${{ env.ENVIRONMENT }}): ${{ env.PROJECT }} image tag to ${{ env.TAG }}"
+          for attempt in 1 2 3 4 5; do
+            if git push; then
+              echo "Pushed on attempt $attempt"
+              exit 0
+            fi
+            echo "Push rejected (attempt $attempt), rebasing onto remote and retrying..."
+            git pull --rebase
+          done
+          echo "Failed to push after 5 attempts"
+          exit 1

From 41ddd342c4d8ed1242292aa944821409f003afb6 Mon Sep 17 00:00:00 2001
From: Levi van Noort <73097785+levivannoort@users.noreply.github.com>
Date: Fri, 26 Jun 2026 07:37:26 +0200
Subject: [PATCH 4/4] ci: serialize deploy jobs with a shared concurrency group

Add a job-level concurrency group (declarative-deploy) shared across
the staging and production deploy jobs so they can't push to the
GitOps repo at the same time. Builds still run in parallel.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/production.yml | 3 +++
 .github/workflows/staging.yml    | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/.github/workflows/production.yml b/.github/workflows/production.yml
index eb7521c..37a77a2 100644
--- a/.github/workflows/production.yml
+++ b/.github/workflows/production.yml
@@ -56,6 +56,9 @@ jobs:
   deploy:
     needs: build
     runs-on: ubuntu-latest
+    concurrency:
+      group: declarative-deploy
+      cancel-in-progress: false
     steps:
       - name: Get token for ${{ env.DECLARATIVE_REPOSITORY }}
         id: app-token
diff --git a/.github/workflows/staging.yml b/.github/workflows/staging.yml
index 05442bb..ca7ee79 100644
--- a/.github/workflows/staging.yml
+++ b/.github/workflows/staging.yml
@@ -57,6 +57,9 @@ jobs:
   deploy:
     needs: build
     runs-on: ubuntu-latest
+    concurrency:
+      group: declarative-deploy
+      cancel-in-progress: false
     steps:
       - name: Get token for ${{ env.DECLARATIVE_REPOSITORY }}
         id: app-token